Cisco ASA 5505 User Manual

52-25

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy

Configuring Cisco Intercompany Media Engine Proxy

What to Do Next

Once you have created the TLS proxy, enable it for SIP inspection.

Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy

Enable the TLS proxy for SIP inspection and define policies for both entities that could initiate the
connection.

The example command lines in this task are based on a basic (in-line) deployment. See

Figure 52-6 on

page 52-11

for an illustration explaining the example command lines in this task.

Note

If you want to change any Cisco Intercompany Media Engine Proxy settings after you enable SIP
inspection, you must enter the no service-policy

command, and then reconfigure the service policy as

described in this procedure. Removing and reconfiguring the service policy does not affect existing calls;
however, the first call traversing the Cisco Intercompany Media Engine Proxy will fail. Enter the clear
connection command and restart the ASA.

To enable SIP inspection for the Cisco Intercompany Media Engine Proxy, perform the following steps:

Step 6

hostname(config-tlsp)# server trust-point

proxy_trustpoint

Example:

hostname(config-tlsp)# server trust-point local-ent

For inbound connections, specifies the proxy
trustpoint certificate presented during TLS
handshake. The certificate must be owned by the
adaptive security appliance (identity certificate).

Where proxy_trustpoint specifies the trustpoint
defined by the crypto ca trustpoint command in

Step 2

in

“Creating Trustpoints and Generating

Certificates” section on page 52-21

.

Because the TLS proxy has strict definition of client
proxy and server proxy, two TLS proxy instances
must be defined if either of the entities could initiate
the connection.

Step 7

hostname(config-tlsp)# client cipher-suite

cipher_suite

Example:

hostname(config-tlsp)# client cipher-suite

aes128-sha1 aes256-sha1 3des-sha1 null-sha1

For inbound connections, controls the TLS
handshake parameter for the cipher suite.

Where

cipher_suite

includes des-sha1, 3des-sha1,

aes128-sha1, aes256-sha1, or null-sha1.

Step 8

hostname(config-tlsp)# exit

Exits from the TSL proxy configuration mode.

Step 9

hostname(config)# ssl encryption 3des-shal

aes128-shal

[algorithms]

Specifies the encryption algorithms that the
SSL/TLS protocol uses. Specifying the 3des-shal
and aes128-shal is required. Specifying other
algorithms is optional.

Note

The Cisco Intercompany Media Engine
Proxy requires that you use strong
encryption. You must specify this command
when the proxy is licensed using a K9
license.

Command

Purpose